Download
1 / 24
240 likes | 428 Views
The Foundation of Information Security. Encryption experts with 25 year history of HARDWARE security protection for:CommunicationsIntellectual Property RightsData and IdentitiesGlobal Company with Local ServiceHeadquartered in Maryland, USARegional headquarters in Camberley, UK Hong Kong30 offices located in more than 20 countiesEncryption technology heritage43 patents issued, 31 patents pendingMajority of the leading security vendors embed SafeNet's technology in their offerings Fastest Growing Networking Company 2005.
E N D
1. HSM Overview for Grid Computing
2. The Foundation of Information Security Encryption experts with 25 year history of HARDWARE security protection for:
Communications
Intellectual Property Rights
Data and Identities
Global Company with Local Service
Headquartered in Maryland, USA
Regional headquarters in
Camberley, UK
Hong Kong
30 + offices located in more than 20 counties
Encryption technology heritage
43 patents issued, 31 patents pending
Majority of the leading security vendors embed SafeNet’s technology in their offerings
Fastest Growing Networking Company – 2005
3. PKI Overview What is a Digital ID?
What is a PKI?
What is an HSM?
How are these used?
4. What is Digital Identity?
A Digital Identity is the representation of a human identity that is used in a distributed network interaction with other machines or people. The purpose of the Digital Identity is to restore the ease and security human transactions once had, when we all knew each other and did business face-to-face, to a machine environment where we are often meeting each other for the first time as we enter into transactions over vast distances.
Attributes of a Digital Identity
A Digital Identity only needs to be as complete as a particular transaction requires. That is to say, some transactions require a far more robust Digital Identity than others, since the degree of trust and information required can vary significantly based on the type of transaction. A Digital Identity consists of two parts:
Who one is (identity)
The credentials that one holds (attributes of that identity).
These credentials define a Digital Identity, and they can be quite varied, of widely differing value, and have many different uses. The full Digital Identity is quite intricate and has legal as well as technical implications (here is a MIT white paper on the subject that will give you the idea.) However, the simplest possible Digital Identity consists of an ID (such as a user name) and an authentication secret (such as a password).
In this simplest Digital Identity the user name is the identity while the password is said to be the authentication credential. As computerized systems become more networked and distributed, Digital Identity must become more robust to make complex distributed user interactions easy while achieving the required control and security. Ultimately Digital Identity will become as complex and flexible in use as a real-world human identity. A Digital Identity can facilitate the following operations:
Authentication - Proving the Digital Identity is what it is representing itself to be in the transaction
Authorization - Gaining permission to access certain data or program applications
Confidentiality - Assuring that an unauthorized party cannot usefully intercept the data being transmitted
Data Integrity - Assuring that the data has not been tampered with during transmission
Proof of Source - Using public/private key encryption to assure the origination source of a document
Non-Repudiation - Using public/private key encryption to verify the source and destination entity of a transaction
Reputation - Aggregating signed information from various sources as credentials based on past transaction history
A Digital Identity allows transactions in which the parties are separated in time and space while retaining the ability of these transactions to contain all of the human identity based attributes that transactions between people have always had. The ability to have third party transactions such as power of attorney, agency, and others handled through Digital Identity are just some of the types of attributes that the Digital Identity will grow to have.
(For a complete white paper discussion of these attributes of a Digital Identity, click here.)
The human context must be restored to the impersonal, distributed, networked communications world where transactions arise ad hoc. Often one or more of the parties to such transactions is an automated computerized system that has to operate on a set of rules that require certain identity information, the release of which must be negotiated with its owner. Accomplishing this very personal task in an inherently impersonal setting is the purpose of the Digital Identity. What is Digital Identity?
A Digital Identity is the representation of a human identity that is used in a distributed network interaction with other machines or people. The purpose of the Digital Identity is to restore the ease and security human transactions once had, when we all knew each other and did business face-to-face, to a machine environment where we are often meeting each other for the first time as we enter into transactions over vast distances.
Attributes of a Digital Identity
A Digital Identity only needs to be as complete as a particular transaction requires. That is to say, some transactions require a far more robust Digital Identity than others, since the degree of trust and information required can vary significantly based on the type of transaction. A Digital Identity consists of two parts:
Who one is (identity)
The credentials that one holds (attributes of that identity).
These credentials define a Digital Identity, and they can be quite varied, of widely differing value, and have many different uses. The full Digital Identity is quite intricate and has legal as well as technical implications (here is a MIT white paper on the subject that will give you the idea.) However, the simplest possible Digital Identity consists of an ID (such as a user name) and an authentication secret (such as a password).
In this simplest Digital Identity the user name is the identity while the password is said to be the authentication credential. As computerized systems become more networked and distributed, Digital Identity must become more robust to make complex distributed user interactions easy while achieving the required control and security. Ultimately Digital Identity will become as complex and flexible in use as a real-world human identity. A Digital Identity can facilitate the following operations:
Authentication - Proving the Digital Identity is what it is representing itself to be in the transaction
Authorization - Gaining permission to access certain data or program applications
Confidentiality - Assuring that an unauthorized party cannot usefully intercept the data being transmitted
Data Integrity - Assuring that the data has not been tampered with during transmission
Proof of Source - Using public/private key encryption to assure the origination source of a document
Non-Repudiation - Using public/private key encryption to verify the source and destination entity of a transaction
Reputation - Aggregating signed information from various sources as credentials based on past transaction history
A Digital Identity allows transactions in which the parties are separated in time and space while retaining the ability of these transactions to contain all of the human identity based attributes that transactions between people have always had. The ability to have third party transactions such as power of attorney, agency, and others handled through Digital Identity are just some of the types of attributes that the Digital Identity will grow to have.
(For a complete white paper discussion of these attributes of a Digital Identity, click here.)
The human context must be restored to the impersonal, distributed, networked communications world where transactions arise ad hoc. Often one or more of the parties to such transactions is an automated computerized system that has to operate on a set of rules that require certain identity information, the release of which must be negotiated with its owner. Accomplishing this very personal task in an inherently impersonal setting is the purpose of the Digital Identity.
5. A Public Key Infrastructure consists of software and procedures put in place by an organization to support the use of Public Keys for authentication--in identifying users, services, and confirming digital signatures.
Public keys usually conform to the X.509 standard for certificates, and usually are based on the RSA public/private key encryption algorithm--if you encrypt with the public key, you can only decrypt with the private key, or you can encrypt with the private and decrypt only with the public key. You keep your private key a closely guarded secret, but the public key can be given out to anyone whom you want to be able to verify that a message or file really did originate from you.A Public Key Infrastructure consists of software and procedures put in place by an organization to support the use of Public Keys for authentication--in identifying users, services, and confirming digital signatures.
Public keys usually conform to the X.509 standard for certificates, and usually are based on the RSA public/private key encryption algorithm--if you encrypt with the public key, you can only decrypt with the private key, or you can encrypt with the private and decrypt only with the public key. You keep your private key a closely guarded secret, but the public key can be given out to anyone whom you want to be able to verify that a message or file really did originate from you.
6. What is a Hardware Security Module (HSM)? Security: A device to keep private keys “close to your chest”
Performance: Accelerate encryption operations to eliminate bottlenecks
Audit: Provides a clear audit trail for all key materials: SAS70 / SOX / PCI / HIPPA / HSPD12 etc. They are devices for keeping keys in hardware- making the keys secure
Since the Keys underpin all the security mechanisms discussed- it is important that they are kept secure
Keeping a Key in Hardware means that you can control when, where, and how it is used
We have models that NEVER allow the key to be exported (sometimes even for backup)
They Perform Cryptographic Operations on those Keys- sometime very fast (acceleration)
Since most of the asymmetric crypto operations are very computationally expensive- the HSM needs to perform them quickly
They come in a variety of form factors
Attached to a network
Embedded in a Server
Portable
Password Authenticated or 2 factor Authenticated
They offer different programming interfaces
PKCS11, JCE, CAPI
They are devices for keeping keys in hardware- making the keys secure
Since the Keys underpin all the security mechanisms discussed- it is important that they are kept secure
Keeping a Key in Hardware means that you can control when, where, and how it is used
We have models that NEVER allow the key to be exported (sometimes even for backup)
They Perform Cryptographic Operations on those Keys- sometime very fast (acceleration)
Since most of the asymmetric crypto operations are very computationally expensive- the HSM needs to perform them quickly
They come in a variety of form factors
Attached to a network
Embedded in a Server
Portable
Password Authenticated or 2 factor Authenticated
They offer different programming interfaces
PKCS11, JCE, CAPI
7. How are Digital IDs, PKI and HSMs Used?
8. Types of HSMs Embedded HSMs
Network HSMs
Application Security Modules
9. Embedded HSMs
10. Network HSMs
11. Application Security Modules
12. What is a High Assurance HSM? Keys Always in Hardware
True Trusted Path Authentication
Premium Certifications
13. SafeNet Advantage: 3 Layers of HW Security Safenet built its products as the basis for protecting customers vital keys. No other vendor has the ability to protect keys in FIPS validated hardware
SafeNet uses a 3 layer security model as the basis for designing hardware systems
The First layer – is software security which is primarily concerned with maintaining the integrity of the software execution environment. Specifically, the goal of this layer ,via 3DES encryption technology, is to create an isolation barrier around the software environment such that it is difficult or impossible to introduce any rogue code
The Second layer – is the operational security layer which is concerned with the procedures and mechanisms that are used to authenticate and control the access to the system. In particular this layer addresses the problem of legitimate users engaging in illegitimate activity by limiting access control via a Pin Entry Device – which is similar to the procedure to operate a nuclear submarine
The Third layer – hardware security includes a tamper proof hardware device to create a physical isolation barrier required to defend against all forms of physical attack.
In addition, unlike other HSM vendors, SafeNet always stores the private keys in hardware!
Safenet built its products as the basis for protecting customers vital keys. No other vendor has the ability to protect keys in FIPS validated hardware
SafeNet uses a 3 layer security model as the basis for designing hardware systems
The First layer – is software security which is primarily concerned with maintaining the integrity of the software execution environment. Specifically, the goal of this layer ,via 3DES encryption technology, is to create an isolation barrier around the software environment such that it is difficult or impossible to introduce any rogue code
The Second layer – is the operational security layer which is concerned with the procedures and mechanisms that are used to authenticate and control the access to the system. In particular this layer addresses the problem of legitimate users engaging in illegitimate activity by limiting access control via a Pin Entry Device – which is similar to the procedure to operate a nuclear submarine
The Third layer – hardware security includes a tamper proof hardware device to create a physical isolation barrier required to defend against all forms of physical attack.
In addition, unlike other HSM vendors, SafeNet always stores the private keys in hardware!
